By default when you add new user to system (/etc/passwd file) it grant shell access. If you are creating new users for POP3 or SMTP (mail server) or FTP then you do not need to grant shell access to a user. Remember as soon as you add a user he/she can login via telnet or ssh. The best way to put Linux shell access restriction is to use special shell called nologin, which politely refuse a login. It displays a message that an account is not available and exits non-zero. It is intended as a replacement shell field for accounts that have been disabled or have other user level access such as ftp, pop3, smtp etc. This is a very common practice followed by ISP or web hosting service provider’s web, mail and FTP server(s).

/sbin/nologin Example

(a) First make sure nologin exists in /etc/shells file (else service such as ftp may not allow login)# less /etc/shells If nologin shell does not exist in above shell list, just add /sbin/nologin shell to it:# echo "/sbin/nologin" >> /etc/shells If you are using Debian then use following path:# echo "/usr/sbin/nologin" >> /etc/shells (b) Block shell access for user vivek (vivek user account must exits):# usermod -s /sbin/nologin vivek Debain Linux user modify above command as follows:# usermod -s /usr/sbin/nologin vivek Now user vivek’s new login shell is /sbin/nologin. Vivek allowed to use other services such as ftp, pop3 but not shell access via ssh or telnet.